mirror of
https://github.com/Yubico/yubico-pam.git
synced 2024-11-29 00:24:11 +01:00
Update and rename YubiKeyAndOpenVPNviaPAM.txt to YubiKey_and_OpenVPN_via_PAM.adoc
This commit is contained in:
Henrik Stråth
parent
39e330e38e
commit
bf248989b3
@ -4,10 +4,6 @@ Introduction
|
||||
The purpose of this document is to guide readers through the configuration steps to use two factor authentication for OpenVPN using YubiKey. This document assumes that the reader has advanced knowledge and experience in Linux system administration, particularly for how PAM authentication mechanism is configured on a Linux platform.
|
||||
|
||||
|
||||
Details
|
||||
-------
|
||||
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
@ -55,9 +51,8 @@ a) Configuration of OpenVPN server to support PAM authentication:
|
||||
add following line to configure OpenVPN client for prompting username and
|
||||
password:
|
||||
|
||||
------
|
||||
auth-user-pass
|
||||
------
|
||||
auth-user-pass
|
||||
|
||||
|
||||
b) Installation of pam_yubico module:
|
||||
-------------------------------------
|
||||
@ -96,15 +91,15 @@ each record are separated by “:” character similar to /etc/passwd.
|
||||
The contents of this file are as follows:
|
||||
|
||||
------
|
||||
<user name>:<YubiKey PublicID>:<YubiKey PublicID>: ….
|
||||
<user name>:<YubiKey PublicID >:<YubiKey PublicID>:…..
|
||||
<user name>:<YubiKey PublicID>:<YubiKey PublicID>: ….
|
||||
<user name>:<YubiKey PublicID >:<YubiKey PublicID>:…..
|
||||
------
|
||||
e.g.:
|
||||
|
||||
------
|
||||
paul:indvnvlcbdre:ldvglinuddek
|
||||
simon:uturrufnjder:hjturefjtehv
|
||||
kurt:ertbhunjimko
|
||||
paul:indvnvlcbdre:ldvglinuddek
|
||||
simon:uturrufnjder:hjturefjtehv
|
||||
kurt:ertbhunjimko
|
||||
------
|
||||
|
||||
The mapping file must be created/updated manually before configuration
|
||||
@ -165,12 +160,12 @@ iii) Yubico PAM: pam_yubico Version 1.8
|
||||
iv) "/etc/pam.d/openvpn" file:
|
||||
|
||||
------
|
||||
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
|
||||
auth include system-auth
|
||||
account required pam_nologin.so
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
|
||||
auth include system-auth
|
||||
account required pam_nologin.so
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
------
|
||||
|
||||
e) Testing the configuration:
|
||||
@ -214,7 +209,7 @@ server demon, we can start OpenVPN Server demon at command line as
|
||||
follows instead of starting it using “init.d” script:
|
||||
|
||||
------
|
||||
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
|
||||
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
|
||||
------
|
||||
|
||||
We can configure OpenVPN server demon to start at boot time by
|
||||
@ -255,18 +250,18 @@ contents to the file:
|
||||
used by pam_radius_auth PAM module. The content for the file is as follows:
|
||||
|
||||
------
|
||||
<RADIUS server fully qualified domain name/IP Address> <Shared Secret>
|
||||
<RADIUS server fully qualified domain name/IP Address> <Shared Secret>
|
||||
|
||||
<RADIUS server fully qualified domain name/IP Address> <Shared Secret>
|
||||
.
|
||||
.
|
||||
.
|
||||
<RADIUS server fully qualified domain name/IP Address> <Shared Secret>
|
||||
.
|
||||
.
|
||||
.
|
||||
------
|
||||
|
||||
e.g.:
|
||||
|
||||
------
|
||||
freeradius.example.com Admin456
|
||||
freeradius.example.com Admin456
|
||||
------
|
||||
|
||||
We can configure failover support for RADIUS server by creating additional
|
||||
@ -284,9 +279,9 @@ iv) Yubico PAM: pam_yubico Version 1.8
|
||||
v) "/etc/pam.d/openvpn" file:
|
||||
|
||||
------
|
||||
account required pam_radius_auth.so
|
||||
account required pam_radius_auth.so
|
||||
auth required pam_radius_auth.so no_warn try_first_pass
|
||||
account required pam_radius_auth.so
|
||||
account required pam_radius_auth.so
|
||||
auth required pam_radius_auth.so no_warn try_first_pass
|
||||
------
|
||||
|
||||
B) Testing the configuration:
|
||||
@ -315,7 +310,7 @@ their YubiKey IDs accordingly.
|
||||
Please use the following command for testing:
|
||||
|
||||
------
|
||||
[root@varsha ~]# openvpn /etc/openvpn/client.conf
|
||||
[root@varsha ~]# openvpn /etc/openvpn/client.conf
|
||||
------
|
||||
|
||||
OpenVPN client will first prompt for username, enter the username.
|
||||
@ -323,6 +318,4 @@ After that OpenVPN client will prompt for password, enter user’s
|
||||
password immediately followed by an OTP generated by a YubiKey.
|
||||
|
||||
|
||||
_Note:_
|
||||
-------
|
||||
_Please use OpenVPN server Version 2.0.9 (Latest Stable Version), as older and newer beta versions have problems with PAM libraries. RADIUS authentication will fail if it is configured with older or latest beta versions of OpenVPN Server._
|
||||
NOTE: Please use OpenVPN server Version 2.0.9 (Latest Stable Version), as older and newer beta versions have problems with PAM libraries. RADIUS authentication will fail if it is configured with older or latest beta versions of OpenVPN Server.
|
||||
Loading…
Reference in New Issue
Block a user